Identity-based cyberattacks a third of intrusions, drop infostealers

Identity-based cyberattacks made up nearly a third of intrusions in 2024, while the delivery of infostealers by email increased a dramatic 84%, according to the IBM X-Force 2025 Threat Intelligence Index published Thursday.

The report revealed that 30% of intrusions involve the misuse of valid credentials, marking the second year in a row that valid logins tied with exploitation of public-facing applications as the top initial access vector.

The use of infostealers and sale of stolen credentials on the dark web help facilitate such identity-based intrusions, and infostealers appear to be usurping persistent backdoors as one of the most common malware payloads spread via email phishing.

“Deploying persistent malware on an endpoint through an email is much more likely to be detected by endpoint detection and response (EDR) solutions, forcing threat actors to adapt strategies and focus on identities,” the report stated. “This manifested in an increase in the use of infostealers and shift towards credential phishing.”

The incidence of infostealer advertisements on dark web forums increased 12% in 2024, with the most common stealer advertised being Lumma Stealer, also known as LummaC2. Credential phishing, through the use of fake login sites, also increased in 2024, according to IBM.

Researchers observed a shift in email phishing and malware tactics last year, with the use of malicious URLs and PDF attachments increasing while ZIP and RAR attachments decreased by 70% and 45%, respectively. PDFs were the most common files attached to malicious emails, making up more than 45% of malicious attachments.

Attackers tend to hide malicious URLs in PDFs using obfuscation methods such as encryption or hexadecimal encoding, or by hiding the URLs in compressed streams. This makes the malicious contents more difficult for email scanners to detect compared to when malware is delivered directly as an attachment or archive.

Exploitation of vulnerabilities in public-facing applications also made up 30% of intrusions, including 26% of critical infrastructure attacks. The most common vulnerability discussed on the dark web was CVE-2024-21762, a remote code execution (RCE) flaw in Fortinet FortiOS.

All of the top 10 most discussed vulnerabilities had publicly available exploits or were actively exploited within the last year, according to IBM, with 60% of the top vulnerabilities gaining a public exploit within two weeks of disclosure.

To combat growing identity threats, IBM recommends working to consolidate identity solutions into a unified “identity fabric” to avoid disconnected identity solos and also recommends prioritizing the use of multi-factor authentication (MFA) for all employees.

Robust data protection measures, such as encryption and the use of strong access controls, can also prevent the theft and leakage of credentials, and AI-powered threat detection methods can more effectively catch and respond rapidly to credential-based attacks.